[Date Prev][Date Next] [Chronological] [Thread] [Top]

Error while integrating OpenLDAP and Kerberos

I am trying to set up Kerberos with OpenLDAP backend. I followed this doc http://web.mit.edu/Kerberos/www/krb5-1.12/doc/admin/conf_ldap.html and this https://help.ubuntu.com/lts/serverguide/kerberos-ldap.html#kerberos-ldap-openldap

My krb5.conf file looks like this:

 
[libdefaults]
    default_realm = EXAMPLE.TEST
    dns_lookup_realm = false
    dns_lookup_kdc = false
    rdns = false

[kdcdefaults]
    restrict_anonymous_to_tgt = true    

# The following krb5.conf variables are only for MIT Kerberos.
    krb4_config = /etc/krb.conf
    krb4_realms = /etc/krb.realms
    kdc_timesync = 1
    ccache_type = 4
    forwardable = true
    proxiable = true

# The following libdefaults parameters are only for Heimdal Kerberos.
    v4_instance_resolve = false
    v4_name_convert = {
        host = {
            rcmd = host
            ftp = ftp
        }
        plain = {
            something = something-else
        }
    }
    fcc-mit-ticketflags = true

[realms]
#configuracion para mi reino
    EXAMPLE.TEST = {
        kdc = krb1.example.test:88
        kdc = krb2.example.test:88
        admin_server = krb1.example.test
        default_domain = example.test
        database_module = openldap_ldapconf
    }

[domain_realm]
#configuracion para mi servidor
    .example.test = EXAMPLE.TEST
    EXAMPLE.test = EXAMPLE.TEST

[dbdefaults]
        ldap_kerberos_container_dn = cn=krbContainer,dc=example,dc=test

[dbmodules]
        openldap_ldapconf = {
                db_library = kldap
                ldap_kdc_dn = "cn=krbadmin,dc=example,dc=test"

                # this object needs to have read rights on
                # the realm container, principal container and realm sub-trees
        ldap_kadmind_dn = "cn=krbadmin,dc=example,dc=test"

                # this object needs to have read and write rights on
                # the realm container, principal container and realm sub-trees
                ldap_service_password_file = /etc/krb5kdc/service.keyfile
                ldap_servers = ldap://127.0.0.1
                ldap_conns_per_server = 5
        }

[login]
#   krb4_convert = true
#   krb4_get_tickets = false

[logging]
    kdc = FILE:/var/log/kerberos/krb5kdc.log
    admin_server = FILE:/var/log/kerberos/kadmin.log
    default = FILE:/var/log/kerberos/krb5lib.log

I added the krbPrincipalName index:

dn: olcDatabase={1}hdb,cn=config
add: olcDbIndex
olcDbIndex: krbPrincipalName eq,pres,sub

I gave permissions to the kadmind and krb5kdc for reading a writing in the LDAP database:

dn: olcDatabase={1}hdb,cn=config replace: olcAccess
olcAccess: to attrs=userPassword,shadowLastChange,krbPrincipalKey by dn="cn=krbadmin,dc=example,dc=com" write by anonymous auth by self write by * none
-
add: olcAccess olcAccess: to dn.base="" by * read
-
add: olcAccess olcAccess: to * by dn="cn=krbadmin,dc=example,dc=com" write by * read

When i try to restart the krb5-admin-server I get this error:

[....] Restarting Kerberos administrative servers: kadmindkadmind: Invalid credentials while initializing, aborting failed!

Any suggestion for solving this problem? I thinks there is a missing configuration on my LDAP, but I am not sure.

Thanks in advance.

-- 
Verónica Ovando